OK, I understand that the setting will not be changed.
Then I suggest to add:
<!-- REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH,
PLEASE CHECK THE user-data-constraint ELEMENTS
and below:
If you do not wish to use SSL, remove the "user-data-constraint"
elements.
Note that some Containers will silently fail to log-in users if SSL is
not enabled.
On Tue, Oct 7, 2008 at 6:04 PM, Andrew Jaquith (JIRA) <[EMAIL PROTECTED]> wrote:
>
> [
> https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> ]
>
> Andrew Jaquith resolved JSPWIKI-212.
> ------------------------------------
>
> Resolution: Won't Fix
>
> SSL is indeed "orthogonal" to container authentication -- in the sense that
> you aren't required to have it turned on. However, I am very strongly opposed
> to taking it out on the grounds of security. Regardless of whether the
> JSPWiki instance is on an intranet or not, the fact is that without SSL,
> credentials travel in the clear. This is bad.
>
> My position on this is that if an administrator is sophisticated enough to
> wire up container authentication, they should be grown-up enough to use SSL
> too. That's a good default security posture, and that is one I want to
> encourage. But if they don't want to use it, they can simply remove the
> CONFIDENTIAL element.
>
> I am sorry this has caused you problems. But the guidance in web.xml for this
> is crystal clear -- there is no way an administrator could miss it.
>
> Marking this as "won't fix."
>
>> transport-guarantee CONFIDENTIAL should be removed from web.xml
>> ---------------------------------------------------------------
>>
>> Key: JSPWIKI-212
>> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>> Project: JSPWiki
>> Issue Type: Improvement
>> Components: Authentication&Authorization
>> Affects Versions: 2.6.2
>> Environment: apache-tomcat-6.0.16
>> Reporter: Jürgen Weber
>> Assignee: Andrew Jaquith
>> Priority: Minor
>>
>> The default web.xml of JSPWiki contains two times
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> for container managed authorization.
>> But by default Tomcat has not switched on SSL, and trying to log in to
>> JSPWiki you get
>> Firefox can't establish a connection to the server at localhost:8443.
>> By default the user-data-constraint element should be removed as it makes
>> activating container managed authorization unnecessarily difficult.
>> Especially as it is not easy or obvious to notice the connection between the
>> cited error message and the user-data-constraint element.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
